Getting Data In

splunk detects _time right, but displays it wrong

SplunkTrust
SplunkTrust

Hi,

I have an issue with the _time field in Splunk.

An event like this gets into Splunk.
alt text

While the date_hour, date_minute and date_second fields are extracted correctly the _time field doesn't display the time correctly.
8:05 AM is not 10:05 in european format.

The sourcetype for these events is specified as following
alt text

Somehow the _time field does not show the correct timestamp.

What can I do?

0 Karma
1 Solution

Builder

Hi,

The problem is the timezone (is not time format), that you have selected. Probably your rol isn't in the same time zone.

Regards,

View solution in original post

Path Finder

Sorry to resurrect this post but it describes the same problem I'm having and I can't seem to get it working.
(I'm using Splunk Enterprise v6.6.8)

I created an input using DB Connect 2.4.0 and at the point of setting the Metadata for my DB input my source and sourcetype didn't exist, so I typed them into the boxes and all appeared well. Until of course I realise that my input is using a 'UTCDateTime' field from my original source as its timestamp however it is being displayed another hour behind UTC for some reason. ** I'm in the UK so our current local time is UTC+1. ** The user that the DB Connect Inputs runs as is set to "Default System Timezone", I have checked the date/time for the HF on which DB Connect resides and it is correct (UTC+1).

I then set about creating the sourcetype on my SH, Indexer and HF, setting the Timestamp to Auto. My data is still being indexed with a timestamp an hour behind the time specified in the original UTCDateTime field.

I haven't tinkered with any props.conf files or anything like that yet.

Any ideads where I've gone wrong, do I need to restart any/all of the servers for the sourcetype to work?

0 Karma

Path Finder

Just closing this off now as I've fixed my problem. I'm now pointing to the LocalDateTime column as the timestamp which my SH automatically changes to UTC as per all other logs so it's consistent throughout.
Happy days.

0 Karma

Ultra Champion

What you could have done instead, is set the timezone in the db connect connection to UTC. If you use a UTC column to get the time, you need to tell Splunk it is UTC, otherwise it will interpret it based on the forwarder's local timezone (in your case UTC+1).

0 Karma

Path Finder

When you say "set the timezone in the db connect connection to UTC", where exactly would I do this? I can't see an option for setting the timezone of a DB connection.
Thanks

0 Karma

Ultra Champion

Here:
dbconnect timezone setting

Path Finder

Ah thanks FrankVI. From the looks of your screenshot you must be using a more-up-to-date version of DB Connect than me (2.4.0).
Maybe time I did an upgrade!

0 Karma

Ultra Champion

Yeah, I'm running 3.1.3 here.

Maybe you could still set it through a props.conf as you would normally do with timezone settings, but not sure if that works for db connect inputs.

0 Karma

Path Finder

No, from reading the Splunk Docs it doesn't appear possible in this version.

Happy to be proven wrong though...

0 Karma

Ultra Champion

props.conf is independent from DB Connect version right? There must be some way to tell Splunk how to interpret timezones...

0 Karma

Builder

Hi,

The problem is the timezone (is not time format), that you have selected. Probably your rol isn't in the same time zone.

Regards,

View solution in original post

SplunkTrust
SplunkTrust

Oh, ok do you think its wrong because the free cloud is hosted in usa an I live in germany?

0 Karma

Builder

No, the problem is that you set a timezone in the logs and your user (admin) have the default timezone

If you go to settings >> Access control >> users and in your user set the same timezone that you configure in the logs, you will get the correct time.

Hope help you

SplunkTrust
SplunkTrust

Thank you, I found it! ♥

0 Karma